The Image that called me Active Content Injection with SVG Files

A presentation by Mario Heiderich, 2011

Introduction

● Mario Heiderich

● Researcher and PhD student at the Ruhr- University, Bochum ● Security Researcher for Microsoft, Redmond ● Security Consultant for XING AG, Hamburg ● Published author and international speaker ● HTML5 Security Cheatsheet / H5SC ● PHPIDS Project

Today

● SVGs and the modern web

● What are SVGs? ● What are they capable of? ● Which browsers “understand” SVG? ● Why there are conflicted areas?

● And what does that have to do with security?

SVG Images

● Scalable Vector Graphics

● XML based, therefore

● Versatile

● Accessible

● Compressible

● “Stylable” w. CSS

● Open

● Great for mobile devices

● Easy to parse and process

● Ancient format, older than 10 years

● Relations to HTML5, the living standard

SVG History

● Proposed by several W3C members in 1998

● Derived from Adobe Postscript and VML

● Developed in 1999

● Currently at version 1.1

● Version 1.2 still a working draft

● Might be overtaken by SVG 2.0 ● Good browser support

● Gecko, Webkit, Presto, and Trident

Basic Example

SVG Family

● SVG Tiny 1.2

● Designed for cellphones and smart-phones ● 47 Tags ● SVG Basic 1.1

● Designed for handhelds, tablets and net-books ● 71 tags ● SVG Full 1.1

● Full feature set ● 81 tags

Features

● Geometrical shapes

● Circles, ellipses, squares, lines and more

● SVG fonts

● Font specific formatting and glyph styles

● Links

● Animations and Transformations

● Gradients and Effects

● Meta-data

● Scripting and Events

● Inclusion of arbitrary objects

SVG in Action

Scripting

● The following SVG executes JavaScript

● More examples?

More Scripting

Deploying SVGs

● Several ways of deploying SVGs, implemented by modern browsers ● Five important ones are:

● Opening the file directly ● Deployment via